ISO PS016 Inventory, Tracking and Discarding of Computing Devices
Policy Name: Inventory, Tracking, Discarding and Redeployment of Computing
Devices or Media
Policy Number: IS PS016
Effective Date: July 23, 2007
Review Date: January 29, 2013
Last Revision Date: January 29, 2013
Last Revision By: Kim Adams
Contact Name: Matthew Witten
Contact Email: ISOPolicy@louisville.edu
Approved By: Compliance Oversight Council
All computing devices and electronic media being redeployed, surplused, discarded or otherwise removed from service or changing service facilities must, regardless of the value of the computing device or media, have all sensitive information permanently deleted.
Important Note: See related Purchasing Department Policies and Procedures Purchasing 33.00: Personal Property Inventory for details regarding the purchase, identification, inventory and surplus of equipment. These policies and standards apply to all computing device or associated electronic media, regardless of expendable classification per Purchasing Department policies and procedures.
Computing Device or Media Redeployment
- Any computing device being moved from one school, department, unit or other University entity to another (or between personnel with different access and need to know privileges if in the same unit) must have all sensitive information eradicated (see Technical Standards section for eradication guidelines).
- Any electronic media being moved from one school, department, unit or other University entity to another (or between personnel with different access and need to know privileges if in the same unit) must have all sensitive information eradicated (see Technical Standards section for eradication guidelines).
Computing Device or Electronic Media Disposal or Surplusing
- Any computing device being discarded, donated, sent to surplus or otherwise being removed from service must have all sensitive information eradicated (see Technical Standards section for eradication guidelines).
- Any electronic media being discarded, donated, sent to surplus or otherwise being removed from service must have all sensitive information eradicated. Physical destruction of the media is the best method of media disposal (see Technical Standards section for data eradication and destruction guidelines).
Electronic Protected Health Information (ePHI) Note:
- For any computing device or electronic media, as described in the above situations, that contained ePHI, a record or log of disposition of the devices or media must be maintained by the responsible University entity.
Proper tools are required to eradicate sensitive information. Links to tools for total eradication of data on the device as well as specific eradication of selected data are maintained on the Information Security Office web site.
Eradication of Data
Total eradication of data on the
media is the preferred way to provide a reasonable assurance that
information has been eliminated if the device or media is not to be destroyed
(see physical media destruction below).
A total eradication tool must be used if the device or media is being removed from service within the University. Selective eradication of data may be used for computing devices or electronic media being redeployed (not disposed or surplused) provided ePHI was not housed on the computing device or electronic media.
Electronic Protected Health Information (ePHI) Note: Computing devices or electronic media which contain or contained ePHI must have the media cleansed using a total eradication method.
- Tier One or other qualified support staff who understand how to use the tools outlined above must perform this procedure. This is to both maximize assurance of data eradication and to minimize the chance of accidental inappropriate data deletion.
- Certification of Data Eradication - Computing Devices Surplus Certification labels are provided by the Purchasing Department to affix to the device and signify that the device or electronic media has had its data eradicated. It is extremely important that the procedures for this are followed. See http://louisville.edu/purchasing/policies/purchasing-33.00.html for more information.
Physical Media Destruction
Physical destruction of
media is the preferred way to provide a high level of assurance that
sensitive information has been eliminated if the
media is being disposed and not redeployed. Physical destruction is
considered complete only if the media has been disposed of with a shredder
or other equipment designed for destroying
media. "Casual destruction" (bending, cutting with scissors, breaking
and similar activities) is not an adequate way to physically destroy electronic
Note: If proper physical destruction tools are not available for media being disposed, properly performed total eradication of data, as described above, is acceptable.
See related procedures at the Purchasing Department web site.
SCOPE / APPLICABILITY:
All persons while conducting/performing work, teaching, research or study activity or otherwise using University resources. Scope/Applicability also includes all facilities, property, data and equipment owned, leased and/or maintained by the University or affiliates.
POLICY AUTHORITY / ENFORCEMENT:
The University's Information Security Officer (ISO) is responsible for the development, publication, modification and oversight of these policies and standards. The ISO works in conjunction with University Leadership, Information Technology, Audit Services and others for development, monitoring and enforcement of these policies and standards.
This policy will be reviewed annually to determine if the policy addresses University risk exposure and is in compliance with the applicable security regulations and University direction. In the event that significant regulatory changes occur, this policy will be reviewed and updated as needed per the Policy Management process.
Failure to comply with these policies and standards and/or any related information security and/or information technology policy, standard or procedure may result in disciplinary action up to and including termination of employment, services or relationship with the University and/or action in accordance with local ordinances, state or federal laws.
Version / Revision Date / Description
1.0 / July 23, 2007 / Original Publication
1.1 / January 29, 2013 / Content Update
This policy is subject to change or termination by the University at any time. This policy SUPERSEDES all prior policies, procedures or advisories pertaining to the same subject.
Approved July 23, 2007 by the Compliance Oversight Council
Shirley C Willihnganz, Executive Vice President and University Provost, Chair of the Compliance Oversight Council